Wireless Hacking: Breaking Through
- The Easiest Way to Get in
- A Short Fence to Climb: Bypassing Closed ESSIDs, MAC, and Protocols Filtering
- Picking a Trivial Lock: Various Means of Cracking WEP
- Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking
- Field Observations in WEP Cracking
- Cracking TKIP: The New Menace
- The Frame of Deception: Wireless Man-in-the-Middle Attacks and Rogue Access Points Deployment
- Breaking the Secure Safe
- The Last Resort: Wireless DoS Attacks
- Summary
"To advance irresistibly, push through their gaps."
Sun Tzu
If you have already read the wireless penetration testing section of the template in Appendix G, you will find that this chapter is a more detailed walk-through. If you understand how WLANs work, comprehend the general wireless security principles, and have researched both tools of the trade and test and attack planning chapters, you might skip this one. Otherwise, stay with us and read the answers to your questions.
The Easiest Way to Get in
The first thing any attacker looks for is "low-hanging fruit." An inexperienced attacker will search for it because he or she can't get into anything else, whereas an experienced Black Hat will look for it to save time and to be sure that (unless it's a honeypot) no IDS and egress filtering is present and hosts on the network are easy to break into for further backdoor planting. Despite the opinion of a few "security experts," the amount of wide-open wireless networks is incredible. By "wide open" we mean no WEP, no MAC filtering, no closed ESSID, no protocol filtering, and most likely AP management interface accessible from the WLAN. There are a variety of reasons why this situation exists, the major one being the users' (or even system administrators') laziness and ignorance. When attacking such networks, a cracker has only three main concerns: physical network reachability, connectivity to the Internet, and the (rare) possibility of a honeypot trap. Let's explore each in further detail.
-
Physical network reachability: Even if a network is wide open, it is no good (for a cracker) if the only way to connect to it is to sit with a laptop right under the office window.
-
Connectivity to the Internet: Is it present and how "fat" is the "pipe"?
-
Honeypot trap: Is trouble on the way?
The first issue, reachability, is addressed by a high-gain antenna. A high-gain omnidirectional might look like a walking stick or a pool cue and will not raise any suspicions. The majority of Yagis can pass for poster holders and even the directional dishes would not surprise anyone as long as the cracker passes himself or herself off as telecom engineer troubleshooting a link or even an amateur radio enthusiast. It is truly amazing when you sit in the park with a huge antenna in the middle of nowhere and present yourself as a university student doing research. The second issue, connectivity, can be sorted via multiple means; for example, by looking at the DHCP traffic present, a gateway IP would be shown. We have to admit, we like Ettercap. Press "p/P" for the Ettercap plug-ins available. The plug-in that discovers LAN gateways is called triton. The last issue, the honeypot trap, is difficult to solve. Use your intuition and skill to determine whether this low-hanging fruit is poisoned. Looking for sniffers helps; check out the hunter plug-in in Ettercap (Figure 8-1).
Figure 8.1 Ettercap hunter plug-in.
Of course, as a corporate penetration tester you can simply ask if there are honeypots, but that would spoil both fun and the challenge, would it not?